For privacy’s sake – Data Transfer Assessments can be made public. Is that too much to ask?

For privacy’s sake – Data Transfer Assessments can be made public. Is that too much to ask?

MPC – Practical Privacy Insight Series

In our work at MPC with our clients we come across a variety of technology and marketing solutions that in turn partner with other vendors to enrich their technologies. 

Part of our due diligence is to understand the data flows and whether privacy was engineered into the thinking of the solution.

There are some technology providers who would offer their Data Transfer Impact assessments to us, but very few and far between.

We ask for a PIA on a specific product or service – crickets!

Let us take away the excuse from these technology providers by answering a few questions:

  1. Is a Privacy Impact Assessment a private or public document?

Answer: Both. MPC worked with various public facing clients to “certify” their product or service. We conducted a Privacy Impact Assessment that was very detailed from a technology and security perspective and insisted on the appropriate remediations. At this point, a summary Privacy Impact Assessment – with the appropriate assurances and controls can be issued for the public and potential customers. 

A published PIA Report is a statement of trust and an incentive for buyers. Customers will see that you have the correct privacy practices in place and you have implemented privacy positive controls and that your company takes accountability seriously.

  1. Is  Data Transfer Impact Assessment “privileged”?

Answer: At the moment the concern is about transfers from the EU to the US for service providers that require to comply with  a) FISA Section 702 (“FISA 702”); b) Executive Order 12333 (“EO 12333”); c) CLOUD Act

A Data Transfer Impact Assessment or DTIA (or TIA)  has the purpose to provide on best efforts basis “to the data exporter with the relevant information” to complete an assessment of the laws of the destination country, and the parties’ joint agreement to “document the assessment . . . and make it available to the competent supervisory authority on request.”

Such a document is not subject to attorney-client privilege as this is not about a communication between privileged persons made in confidence to seek legal advice. Under US Law, the data importer and data exporter are not “privileged persons”. The competent supervisory authority can ask for this document at any time – so there is no confidentiality or shyness from the public eye. What will remain “in confidence” is the interpretation by the regulatory authorities of the intent that the destination country assessment was complete and accurate. And lastly, given that the parties are contractually obligated to “document the assessment [of the impact of the transfer]” under SCCs, a court may view the communication’s primary purpose as fulfilling a contractual obligation and not to provide legal assistance, so there should be no concern of seeking legal advice as part of the process.

In conclusion: (D)TIAs can be made public and there are companies that post these on their website, along with their Cookie policy and other important privacy statements.

With these barriers removed, this is a win-win situation for privacy and business. Join the very brave few who are stating to the world their position of trust and respect for privacy and data protection and are rewarded with a lot more customers as a result.

A (D)TIA should include an assessment about all the subsequent vendors used, how they use/process the client data, where (which countries) does it flow to, an assessment of their laws that may interfere with the confidentiality of the client data and what safeguards were implemented to keep the data safe, available and confidential as well as within the client’s reach – should they need to fulfill any requests from a customer of of an investigative nature from a regulator.

Processors or importers should understand their support role for a data exporter or controller and provide these documents during the negotiations and before any contracts to engage their services are signed.

Does your organization need to conduct a PIA or a (D)TIA here in Canada or the US? We can help and put a smile on your face. Privacy can be beautiful and can influence your organization’s growth and appeal to interested parties significantly. For more information contact us at:



Facebook: @ManagedPrivacy

Instagram: @managedprivacycanada

Twitter: @managedprivacy

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter